February 24, 2012

Once Again, CAPTCHAs Need to Get Harder

It’s been getting harder to prove you’re a human online in recent years. The squiggly letters known as CAPTCHAs that protect websites against spam software have got more distorted, as the software has got better at reading them.

That was why I thought it worth noting when NuCaptcha launched its video CAPTCHAs, which are easier for humans but still secure and have been adopted by sites including Groupon. Now researchers at Stanford suggest they, too will have to become more cryptic.

Elie Bursztein led the research, and explains on his blog how he designed software that compared multiple frames from NuCaptcha’s videos to spot and decode the jiggling letters needed to enter a site protected by a NuCaptcha puzzle. Video CAPTCHAs require the use of techniques not used against the puzzles before to isolate the puzzle amongst everything else in the footage, says Bursztein. But once software has located the string, but also provide multiple copies of the same puzzle, which makes it easier to solve. He reports that software that identifies video frames showing the CAPTCHA then goes back to the video to track the movement of the letters to accurately isolate them for recognition can beat NuCaptcha with close to 100 percent accuracy.

In response (full statement here), NuCaptcha have pointed out that their software tracks computers that solves their puzzles and serves up more complex versions than Bursztein cracked to very active solvers, which may be attackers. However, Bursztein says those harder versions pose little extra difficulty to his methods.

Fortunately, Bursztein also suggests that tweaks could make video CAPTCHAs even more secure than regular ones. If decoy objects designed to confuse video processing algorithms were added then CAPTCHA-cracking bots would not be able to tell which object needed decoding to beat the puzzle. Whether those designs also make it harder for humans to solve the puzzles is another matter.

Given the gradual increase in the proportion of CAPTCHAs that I need more than one attempt to solve, I’m not optimistic.